Tell the project team how you are using cert-manager Take this short anonymous survey

Release Notes

The v0.16 release has a few focus areas:

  • Enable the new certificate controller for all users
  • kubectl cert-manager create certificaterequest for signing local certificates
  • v1beta1 API

As usual, please read the upgrade notes before upgrading.

New certificate controller

The Certificate controller is one of the most commonly used controllers in the project. It represents the 'full lifecycle' of an X.509 private key and certificate, including private key management and renewal.

In v0.15 we added the new certificate controllers under a feature gate to allow users to test these and gather feedback. Thanks to everyone testing these and reporting issues we were able to fix issues and improve the controller. In v0.16 this controller is now the default one in cert-manager.

For more information on this, we invite you to read our design document.

kubectl cert-manager tool for signing certificates

cert-manager v0.15 included a kubectl plugin that allows users to interact with cert-manager. In this release we have added a new sub-command to the cert-manager CLI which allows users to sign certificates on their computer or inside a container.

The kubectl cert-manager create certificaterequest command creates a new CertificateRequest resource based on the YAML manifest of a Certificate resource as specified by --from-certificate-file flag.

For example this will create a CertificateRequest resource with the name "my-cr" based on the Certificate described in my-certificate.yaml while storing the private key and X.509 certificate in my-cr.key and my-cr.crt respectively.

$ kubectl cert-manager create certificaterequest my-cr --from-certificate-file my-certificate.yaml --fetch-certificate --timeout 20m

More information can be found on our kubectl plugin page.

v1beta1 API

We are soon reaching cert-manager v1.0 and the new v1beta1 API is our first step towards a stable v1 API. The biggest change users may notice is the improved API documentation. We took the time to review and update all the user-facing APIs. You can view the updated API documentation online, or use kubectl explain after installing this version of cert-manager. v1beta1 does not contain many big changes, this version is focused on streamlining field names and general clean up of the API in preparation for the release of the v1 release.

These are the changes made (for reference, our conversion will take care of everything for you):

Certificate:

  • keyAlgorithm is now named algorithm under the privateKey property
  • keyEncoding is now named encoding under the privateKey property
  • keySize is now named size under the privateKey property
  • Encoding values PKCS1 and PKCS8 are now uppercase

CertificateRequest:

  • The field csr is now request

Issuer:

  • DNS01 providers with DNS in their name now are uppercase DNS, these are: cloudDNS azureDNS and acmeDNS

ACME Order:

  • The field csr is now request

ACME Challenge:

  • The field authzURL is now authorizationURL
  • Challenge types HTTP-01 and DNS-01 are now all uppercase
  • Unsupported challenge types (TLS-ALPN-01, TLS-SNI-01, TLS-SNI-02 and others) are not generated by cert-manager any longer

If you're using Kubernetes 1.15 or higher, conversion webhooks will allow you seamlessly interact with v1alpha2, v1alpha3 and v1beta1 API versions at the same time. This allows you to use the new API version without having to modify or redeploy your older resources. Users of the legacy version of cert-manager will still only have the v1alpha2 API.

kubectl cert-manager convert tool

To assist you updating your manifest files on disk (for example in your infrastructure Git repo) we offer v1beta1 support in kubectl cert-manager. The kubectl cert-manager convert command will be able to convert your manifest files to v1beta1 using:

$ kubectl cert-manager convert --output-version cert-manager.io/v1beta1 cert.yaml

More information can be found on our kubectl plugin page.